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(54) Method and apparatus for synchronizing f innware 



(57) The inventi^ is a method and apparatus for 
fiynchronizing ftrrrtware associated wrtti a first conputer 
device and a second conputer device, such as a seiver 
and a client computer. In accoidance with one embodn 
ment of the inventksn, the method oonririfies the steps 
of providing jnk>rmattdn regartJing a characteristic Of the 
f irnnware associated with the first and $econd devices, 
contparing the pronded firmware intomiation to deter- 
rnne if the firmware is syncluonized, and associating 



new firmware wHh tha second device to synchrorvze the 
firmware if the firmware is found to r)ot t>e synchronized 
in the comparing step. In one or more embodiments of 
the invention, the f irnMrare associated with the second 
device is not modified unless the integrity of the 
firmware to be installed on the second device is verified 
using a digital signature. 




FIG.1 
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l>escrfptlon 

BACKgROUNP QF THE INVENTIQN 
1. FIELD OF THE INVENTiON 



[0001] This IrvdrtUon relates ta computing devices, 
and mora partcutarly. to a method and apparatus for 
synchronizing the (irmware assodated with such 
de^/ices. 

[0002] Portions of the disdosure of this patent doc- 
ument may contain materia) that is subject to copyright 
protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent docu- 
ment or the patent disclosure as il appeais in lha Patent 
and Trademark Office file or records, but otherwise 
re^rves all copyright rights whatsoever. Sun Microsys- 
tems, Ja\/a and an Java-based trademark^ and k>go5 
are trademarks or regiater^d trademart<e of Sun Micro- 
systems. Inc. in tf^ United Slates and oitier countries. 
All SPARC trademarks ar^ used under license and are 
trademarks or registered trademarks ol SPARC Intema- 
Honal in the United States and other countries. Products 
bearing SPARC trademarks ard t^sed upon an archi- 
(ecture developed by Sun Microsystems. Inc. 

2. BACKGROUND ART 

[0003] In many electronic information communica- 
tion paradigms, first and second devices communicate 
with one another even though they may be physically 
remote. One such arrangemem is that uvhere a remote 
diem computer station oommunicates with another cti- 
ent cornputer station or a central server. 
[0004] Generally, in order for the devices to commu- 
nicate, they must interact by way of a common protocol, 
otherwise lha devices wH not "understarvj** one another. 
It is often difficult. Iiowever. to ensure that both devices, 
such as a server and a remote workstation as descrft>ed 
atxjve. are arranged to utiNze the same protocol. An 
incorrpatilTirity of the protocol between two devices may 
arise from changes m the protocol «tf one but not both 
devices. A change in protocol may arise when the 
firmware, such as software, ts upgraded on one but not 
all devices to a more recently released or 'newer" ver- 
sion. 

[0005] As an example, in the aerver/remote work- 
station arrangement described atx)ve. it is ocmmon for 
the users or clients of the rerrote worKstation(e) to 
upgrade the version of the software implemented at only 
their wodcstation. Upgrades to ihe server may be con- 
trolled t>y a completely independent entity, such as a 
system administrator, and not be coordinated at all with 
changes in the firmware (and thus protocol) at the 
remote workStatiOn{s). 

[0006] II may be possble 10 manually compare the 
firmware "version" information in order to determine if 
the workstation and server are operating with the same 



protocol, H is often impracfical to change the protoool of 
the server, and as such it is common lor the remote 
workstation to be updated with the appropriate version 
of the firmware. Thus, if a user determines that the 

5 firmware at the workstation is "okler." in the sense of a 
having numericaUy lower version number than that of 
the version operated by the server, the user may update 
software or firmware on the workstation. There are 
numerous pitfalls associated with such a procedure. 

10 [0007] A first problem is simply that there is no reli* 
able mechanism lor ensuring that multiple workstations 
and the seiver(s) are an continuous^ upclated. The 
atxYve-described update process requires a particular 
person or persons to be reeponsijie for updating the 

75 firmware associated with each workslation. trapses in 
the update process may render one or more wortcsta- 
tions associated with a network inoperat>le. 
tPOOS] Problems may arise when a ueerarttempts to 
instaO or updone firmware on their workstatiori. One 

20 problem arises when the t4>load is Internjpted, such as 
in the case of a power failure. If the updated firmware is 
only parttaVy written to the memory of the remote work- 
station when the interruption occurs, the workstation ie 
often disabled because the workstation's protocol 

25 remains Incongruous with the server with onry a partial 
update of the firmware. The disabling of the wockstatkxi 
may also occur in similar fashion if there is an error in 
the firmware load module. 

lOOOd) Another problem associated with updating 
JO firmware of a remote workstation lising an i^^load 
arrangemeril arises from security risks. Unauthorized 
persons can fbrce i^esimble software onto the work- 
station during the upload of the desared updated 
firmware, or may block the upload process. Diagnostic 
33 mechanisms which allow the insertion of code firom an 
external source are particuiariy susceptible to attack. 

SUMMARY OF THE INVEIVfTION 

^0 [0010] The invention is a method and apparatus ior 
synchronizing firmware, such as versions of software, 
associated with a first computer devk^e and a second 
computer device. 

[0011] In accordance ^th one embodin^t of the 
4S inventk>n, the method con>prises the steps of Irnnsmit- 
ting infbrmation regarding a characteristic of the 
firmware associated with the fir^ device from the first 
device to the second device, conparing the finrttware 
infc>rmation transmitted from the first device lo informa- 
so tion regaroling the same characteristic of the f inmware 
associated with the secorxl device, and associating new 
Of diHerem firmware with the second device if the char- 
acteristics assodated VMth the firmware of the first and 
second devices are not the same to ther^ synchro- 
ss ntze the firmware associated with the two devices. 
[0012] In accordance with one or more embodi- 
ments of the invention, in the event (he firmware assod- 
ated with the second device is not the same as that of 
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the f iret device, then the firmware associated wrth the 
secsond device Is modified to match or synchronize wAth 
that of the fir«t device by loading ipdated f imiware to 
the second de^ce. 

[0013] In accordance with one or more embodh s 
merits of the invention, updated firmware i$ not installed 
onto the second device until the litegrity of the updated 
firmware is verified. This prevents the introduction of 
urtwartted code, such as a virus, untrusted code, or 
other unauthojized code to the system, in one embodi- io 
ment the firmware to be instaied to the eeoorKl device 
comprises a load module having a private key associ- 
ated therewith and the step off vertiying comprises using 

a public i<ey to verify the privaiek^. ^ .. 

[0014] In accordance whh one or more embodi- is 
ments of the invention, the first device is a server which 
is capaUe of providing services to a number of interface 
devices, and the second d^/ice comprises one of such 
intertaca deviods. In accordance with one embodiment, 
the second de^e includes a memory element onto so 
which the firnnware is loaded and a read-only menory 
area wNch includes emergency firmware Ibr ensuring 
the device is net rendered inoperative in the event 
updated firmware is not properly or completely in^lled. 
fOQlS) In one or more embodiments, computer ss 
hardware and^or software is arranged to perform the 
method of the invention. 

lOOl 6] Further ob|ects. faalu-es and advantages of 
the invention will become apparent from the detailed 
descriptnn of the drawings which follows, when oonsid- so 
ered with the attached figures. 

BRIEF DESCRIPTION OF THg DRAWINfGS 

[00171 36 

FiGURE 1 illustrates a ooctputer architecture or 
system with which the present invention has partic- 
ular utilfty; 

40 

FIGURE 2 is a block diagram Hlustrating one 
embodnnem of a Human intefte» Device of the 
system illustrated in RgiA'e 1 ; 

FIGURE 3 is a flowchart ilustrating one embodi- 45 
mem of a metfKd of the invention; 

FIGURE 4 is a flowchart illustrating one embodi- 
ment of a method of updating firntware in accord- 
ance with the method illustrated in Figure 3 ; so 

FIGURE 5 is a flowchart illustrating one embodi- 
ment of a mettuxl of verifying firmware in accord^ 
ance with the method illustrated in Figure 4: 

$s 

FIGURES 6(aHc) illustrate embodiments of 
firmware load modules in aooordanoe with embodi 
ments of the invention; 
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RGURE 7 ilkistraltes an embodiment of a memory 
arrangement onto which a load module may be 
Installed: 

FIGURE 8 is a floMvchart yiustraling a boot 
8equerx:e in accordance wrth a method of the 
invention: and 

RGURE d is a block diagram of one embodiment of 
a computer system capabfe of providing a suitable 
execution environment lor an en^Mdirnent of the 
invention. 

DCTMLED DFflGRIPTIOKl OF THE INV^ NTIOM 

[0016] T?ie invention is a method and apparatus for 
synchronizing the firmware associated with two or more 
computers or other devices which are to communicate 
by etectroruc means. In the blowing description, 
rumerous specific details are set txth in order to pro- 
vide a more iliorough description of ttte preeent inven- 
tion, tt wil be apparent however, to one skilled in the 
Oft, Ihat the present invention may t>e practiced without 
these specific details. In other instances, well-known 
features have not been deecnbed m detail so as not to 
obscure the inventiorL 

Envimnmertf 

[0019] As described in more delail below, emtwdi- 
ments of the invention have application to a variety of 
Nrst and second devices arranged to communicate elec- 
tronically. One computer system architecture or system 
wTth whch the ir^ention is applicable is the enwifonmerrl 
described in Rgure 1. in this system, the at least one 
first device oonprises a corrputer device in the form of 
a central computer data source and the at least one 
second device comprises a computer device In the form 
of a "Hunan imerfece Device*- (HID). As described in 
more detail belm. in this architecture, some or all com- 
puting is done tty the central data source or service, with 
tf>e output of tie data source provided to a H to. 1>ie 
is capable of recatving data and displaying data 
[0020] In the system iHustraled in Figure 1 , the cen- 
tral data source conprfses one or more oomputational 
sarvice providers or servers 1 00. The one or more serv- 
ice providers 100 communicate with one or more HtDs 
through some interconnect fabric lOl, such as a net- 
wort<. 

[0021] In this an-angement, the corrputationat 
power and state maintenance is found in the service 
pf0V)der& TTie services are not lied to a specific oorr^- 
ter. but may be distributed over one or nrvre tradtlSonal 
desloop systems such as the conputer device 
desGTlMd in connection with Figure 9 t>eiow. One com- 
puter may have or>e or more services, or a service may 
be imptemented by one or more corrputers. The service 
pruvides computation, state, arvd data to the HiDs and 
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the service is under ih« control of a oominon aulhorrty 
or manager. In Figure 1 . the services are found on com- 
puters 110, 111. 112. 113 and 114. The centml data 
source can also be providing data thai comes from out- 
8kJe of the centraJ data source, such as lor example, the $ 
internet or workJ wide web. 

[0023] It Is the responsfcinty of the service to handle 
comnnjnicaljons with the HID that is currently being 
used to access the given service. 7»*s involves taking 
the output from the computational service arvJ convert- io 
ing it to an acceptable protocol for the HID. A method tor 
insuring tne ocwnpatitKlity ^ both partiC4)ant& using tnis 
protocol is described in detail below. 
[0023] The interconnect fabric is any of multiple 
SLitabtecomrnunication paths for carrying data between i9 
the services and the HIDs. In one errtxxliment the inter- 
connect fabric is a local area network vnplemented as 
an Ethernet networlc Any other local network may also 
be utilized. 

[0024] H one embodiment, the interconnect fabric so 
provides activeiy managed, Jow-latency high bandwidth 
Communication^ between the HID and the services 
t>eing accessed. 

[0025] The HID is the means by which users access 
cortputational services provided by the servers or serv- 25 
ices, and as such the HfD may also be referred to as a 
client or user virorkstatton or terminal. Figure 1 illustrates 
HIDs121, 12a and 123. In the embodiment illustrated, a 
HID consists of adisplay 126. a keytx>ard 124, a mouse 
125, and audio speakers 127. The HID indudes the so 
electronics needed to interface these devices to the 
interconnection bbric artd to transmit to arvl receive 
<bta to arxl from the services. 

[0026] A bkxA diagram of one embodiment of a HID 
is illustrated in Figure 2. The components at tfie HID are ss 
coupled infernally to a PCI bus 212. A network control 
block 202 oonununicates with the interconnect fabric, 
such as an Ethernet, through fine 214. An audio codec 
203 receives audio data on interlace 21 6 arxJ is coupled 
to tjlocK 202. USB data commurication is provided on 4o 
lines 213 to USB controller 201. 
[0027] An errtiedded processor 204 may be, for 
example, a Sparcaep™ with cotpled flash memory 20S 
and ORAM 206- The USB controller 201 , network con- 
trotter 202 and embedded processor 204 are afl coupled 45 
to the PCI bus 212. Also coupled to the PCI 212 is the 
video oontrofler 209. The vWeo corrtron^ 209 may be 
for example, an ATI Ragel28 frame buffer contr<^ler (or 
arv other suitabiQ controller) tiat provides SGA output 
on irie 215^ NTSC or RAL data tsprcnrictedirito the video so 
controller through video decoder 210. A smartcard 
interfa<;e 208 may also be coi4:iled to the video control- 
ler 209. 

[002S] Aftemalively. the HID can be in^ilemerrted 
using a single chif> solution induding the necessary ss 
processing capability. 

[0029] This architecture or system is described in 
greater defail in US- Patem Appikstion Serial No 
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03^063,335, assigned to the present assignee, filed 
April 20, 1998. entitled 'Method and Apparatus For Pro- 
viding A Vfrtual Desktop System Architecture" incorpo- 
rated herein lay reference. 

Method tor Synchronizing RrmwarP 

[0030] One or more ennbodiments of the invention 
comprise a method for synchroni:dng firmware assod- 
aled with at least two devices 
[0031] As used herein the term "firmware' 
intended to include, txit not be Gmrted to. any ^emem 
anwiged to permit a devloe to transmit and/or receive 
data or information, sucti as software or appTicalions 
d^ining a protocol by which information is sent or 
received. As used herein the term "syn^vonize" is 
intended to include, but not be limited to the act or result 
of causing two devices or the elements associated 
therewith to have the capacity to oornpatibly transn^ 
arxl receive information or data. 
[0032] One embodiment of the invention will be 
described in conjunction with the system described 
above and Hlustrated in Figure 1 . in accordance with this 
entxxJiment. and as illustrated in Figure 3. in a f kst step 
Si , the second device is started. In one or more ented- 
imente, such a step m^ corrphse booting or powering 
up a HID as described above. 

[0033] In a step S2. information regarding the 
firmware associated with the first and second devices is 
provided. In one or more errtxxJiments. the provided 
inforniation is set of parameters comprise data regartS- 
ing a corrwnon cfiaracterislic of the firmware associated 
wfth each device. In one or more ernbodimenis, this 
chamcteristk; information comprises a string ttiat repre- 
sents the current software revision or version or edition 
associated with the device. 

[0034] In one or more ennbodiments, this step 
includes the step of the first device which is to provide a 
servfoe to the HID. such as a central server, sarxing a 
set of initial protocol parameters to the HID v0on 
request. Tlie HID or second device may provide the 
irtformation in memory. When tf>e server or other first 
dwice provkies the information to the second devk;e, 
the data may be sent to the Hid upon the HID^ servJing 
a request such as at boot-Lfx 

[0035] Of course, it wiU be appreciated that the sec- 
ond device, such as a HID. might be arranged to send 
the information to tfie server or other first device. 
[0036] A step S3 of the method comprises conpar- 
ing the provided infomnatfon to determine if the firmware 
is synchronized- in one or more embodiments, the step 
comprises the second device, such as a HID, conpares 
its firmware information, such as a version of particular 
software, to that indicated by the set of parameters sent 
by the frrst devfceL Such as a central server. In one or 
more embo d h n ents. this comparison comprises the 
step of determining if the version of the software of the 
HID Is the same as thai indicated tyy the central servv. 
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The convianson step may conprise determniing It the 
data string representing the vereion of the firmware 
associaled with the server is identiGai to thja data string 
representing the version of the f irirtware asGociated with 
the HID. 5 
[0037] If the versions of the Goftware are the eame 
or nf\3tching (i.e. the firmware is already synchronized) 
then in a step S5, the Synchnxiization sequence ends. 
If the versions are not the saine. then in a step S4, the 
firmware associated wfth the HID is updated and then kt io 
a step S5 the sequence ends. 
[0038] One embodiment ol a method by v/hich the 
flrnnware associaled with me HfD is updated (as In step 
S4 of Rgure 3) w|)l be described in con^jnction with Fig- 
ure 4. IS 
[0039] in a fir^ step S401. the central sewer or 
otiier Service instructs the HID which version of the 
firmware the HID fs to irr^emem. and where to obtain 
the necessary firmware For exarnple, the cemral server 
may induct the HID to obtain verem XX. Y of particutar &d 
software from a particurar firmware computer or server. 
10040] lnastep540atheHIDeeek5theappit)pri- 
ate firmware server and detemnines if the firrnware 
which is to be obtained is valkJ. In one or more embodi- 
m^Tts. where the f irm^ware is obtained in the form of a 25 
load module which is loaded into memory assodated 
with the HID from the server, the HID determines if the 
load module is the correct version, is legitimate, uncor- 
rupted and the like. If so,in a step S403 the HID iploads 
or updates ttie Itrmware and inslats it ff not, the so 
firmware update is terminated. In such an event the 
HID may be anBo^ed to requests from the central 
server or service another server from which the desired 
firmware rray be obtained. 

[0041] One embodiment of a method by which an $$ 
HID determines if a load module is legitimate (step 
S402 Of Figure 4) wHI be described in more detail with 
reference to Figure 6. 

[0042] In a first step S402A. the HID obtains a load 
module from ifie ftrmvi^re server and transfers it to 40 
memory. In one or more emtiodiments. the type of 
merrvxy to Which the load module Is transited is a 
tenvora^y memory or simifar storage location. F6r 
exan^le, the HID may loaJ the load module to DRAM 
(such as DHAM 206 illustrated in Figure 2 and 45 
descrft>ed above). 

10043] In a step S40SB, the load module is deoom- 
pressed, if necessary. 

[0044] In a step S402C the HID verifies at least one 
identifying element associated with the load nvdula In so 
one or more embodrments. the step comprises verifying 
at least a di^l signature associated with tie load mod- 
ule. In one or more emtwdiments. the step conrvmses 
verifying both a header and a signature associated with 
the load module. ss 
[0045] In one or more embodiments, each load 
modtJie is provided with a header which contains one or 
more pieces of inforrnat'on. such as the size of the load 



nmiure. In the event that the HID verifies the header 
information, this aspect of the vertfication step is com- 
pleted, tf not. the HID wiH not execute the load rnodule, 
and the HID may reoontact llie central server or other 
pno\nder for information as to where to attenpt to obtain 
a valid load module. 

[0046] In one or nrKsre embodiments, each loed 
module Includes a digital signature in the fbmi of a pri- 
vate key or code which is associated with the load mod- 
ule by the manufacturer. The diem (i.e. HID) is pfx^nded 
with a pubfic key associated wrth the private key. the 
pUbKc key used to verify the signature generated by the 
private key. ff the digital signature is verified, then ttfe 
portion of the verification step rs cofnpleie. If rwt. the 
HID will not execute the load module, and the HID may 
reoontact the central server or other provider for infor- 
mation as to wtiere to atten^pt to obtain a valid load 
rttodula 

[0047] As is well kr>own, there are a variety of man- 
ners lor implemeritSng such a private/paWic key arrange- 
ment In one or more embodiments, the keys are 
encrypted to ensure their integrity. 
[0048] Figures 6(a)-(c) Rlustraie load module for- 
mats which include a header and digital signature as 
desc4)ed above. Of course, the load modules may be 
arranged In a variehr of manners and still provide the 
vertfication feature disclosed above. If tf^ firmware 
which is being installed or uploaded to the device is not 
in the form of a load rrxxiute. the firmware is stiR desira- 
bly configured to include information such as that 
described above for ensuring the rttegrity of the 
frmware. 

[0049] If the load module is verified, then and only 
then (s the load module is accepted, such as by writing 
it to a memory associated with the HID. such as the 
readAwrite portion of the flash 205 of the HID. In Ihs 
anangement. the load modUe is not written to the flash 
unless the load module is verified. 
[0050] As another aspea of the invention, there is 
provkled a method for ensuring that a parbal or other- 
wise inconnplete update of the firmware does not render 
the HID inoperative. In acccvdance with this method, the 
HIP indudes a means for starting or booting the HID in 
Ihe event certain of the firmware associaled with the 
HID is corrupi. in one or more embocfments, this means 
Gornpnses an emergency triviaf fie transfer protocol 
(TFTP) loader qspication associated wHh the HID. m 
one or more embodiments, the emergency loader appii- 
catk>n is stored in a write-protected sector of the HlD's 
flash 205. 

[0051] Rgure 7 illustrates an anangemem of a flash 
memory 205 for inplementing this mettiod. As illus- 
trated therein, the flash has a first read/write region 710 
and a second read-only region 712. The read-only 
region 712 includes a stand-akvne TFTP boot or 'emer- 
gency loader 714 program. This emergency loader pro- 
lyam 714 includes a protocol *or transferring files, such 
as the desired updated firmware load module. 
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[0052] This figure also illustrates that the load mod- 
ule verincatpon stops of the method ma^ be assoctated 
with an application which is stored in a memory associ- 
ated with the HtD. In the errtxxSiment illustrated, the 
application is stored in the read-only region 712 of the s 
HID^B flash memory 205. and cpied to HIO memory on 
power-up. 

[0053] tn accordance wfth the method, the emer- 
gency loader 714 can not be o^renvrrtten, e\/en with a 
load module which is toeing tfiloaded in order to syn- ro 
chronize firmware. In the »^ent of a failure in a normal 
boot application stored in the nnain readAwrcte region 
710. the emer9efK;y loader 714 may t>e utilized to con- 
tact the central server to obtain updated firmware in the 
form of a load module, in the event the load module Is is 
otTtained in this manner, one errdxxliment of the method 
includes the step of performing a retxxst of the HID, 
whereby the updated application will run instead the 
emergency loader after the load module is successfully 
installed. so 
E00S»4] In accordance wOh the above-described 
method, the only time an HID c^n not be used on 
demand is in the event a firmware update was unsuc- 
cessful and the emeigency loader is unable to get a 
goxl load from a firmware server. In such an event n5 
however, tha HID is only temporarily disablad untif the 
errwrgency loader is able to contact a Ormware server 
and obtain and complete an update of the Tirmware. 
[0055] Rgure 8 is a flotarchart illustrating an embod- 
iment of a boot sequence for a HID incorporating the 
method dc&Grit>ed above. In a step S801. the HID is 
powered, booted up or reset In a step 8602 ^ rnmali- 
zation and testir«g sequence is coriYiieted, as is well 
known In the art of corrputer devices. In a step S803 ft 
is determined if there is an external PROM, yes. then as 
in a step SS04 the information contained On the external 
PROM is decompressed into RAM (such as DRAM 206 
illustrated in Figure 2). The intonnation contained on the 
external PFOM may comprise a k>ad module con^ris- 
ing firmwara In step G805, it is detenmined if the load 40 
module has a vaTid elgnatire (as described above in 
conjunction wHh step S402C), If sol the load module is 
executed in a st^ S807. 

[0056] If in step S805 it is determined thai the sig- 
nature associated with the load rrNidute is not valid or if 45 
in step G803 it is determined that there is no external 
PROM, then in a step SB07 It is detem^ned If there is a 
vaU readAwrite flash, ft is noted that in nmet instances 
an external Pf=OM will not be present. TTie eternal 
PROM may t>e associated with the HiD when the Hip Is 
initialized or started the vo-y first time, or when the HID 
is rendered completely inoperable through destruction 
of an code on its flash. 

[00S71 If in step S807 it is detemiinod that there is a 
valid readAwrite flash, i.e. that the proper firmware is 
present in the readiWrfte section of the HIDs flash, ihen 
in a step SGOd the f imnware is decompressed into RAM. 
In a step 8809 it is then determined K the firmware, such 
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as a load module, has a valid signalure (as described 
above in confundion with step S402C). if so. the load 
module is executed in a step S810. 
[P058] If the signature is not valid, then in a step 
S&11 it is determined if the HID was started cold or 
warm (i.e. cold or warm boot). If the signature is invalid 
and the boot was a warm boot then in a step 8812 the 
sequence ends with an indication to a user of ^lure and 
the need to reboot the HID, such as by Winking an I^D 
indkiator. 

[0059] If the boot sequence was cold (i.e. warm » 
no) then in a step S813 ttw emergency txwt sequence 
is started l^y decompressing the TFTP boot rnfbrmation 
to RAM. In step S614 it is determined If the sFgnature 
associated with the infixmation loaded into RAM is 
valid. If not, then in step S612 the sequence ends as 
descrbed above (a bad signature indicating that the 
firmwere has been oompfomrsed). 
[00 60] the signature is valid, then in a st^ S815 
gie^ Ti-ir boot is executed- As described above, the 
TFTP boot is designed to seek a new copy of the load 
module. In a step Sai6 it is determined rf the load mod- 
ule is found and uploaded. If not then in a step S81 7 the 
sequence ends in a similar manner to that associated 
with step S812. 

[0061] If a valid upload of the loed module is 
obtained, then in a step 8016 the sagnaiure associated 
with the load module is veiifled. If in step 8819 it is 
determined that the signature is invalid, the sequence 
ends in step S81 7. if the signature is valid, indicating the 
integrity of the load module, then in a st^ SQ20 the load 
module is written to the readAvrite portion of the flash of 
the HID, and a reset occurs. 

[0062] It should be understood thai the load module 
may be obtained from a variety of sources. In the above- 
descnbed sequence, the load module is first obtained 
from an extemal PROM. Of coirse. the load module 
might be obtained from a network or a variety of other 
types Of memory devices. In addition, while the load 
modi^e and TFTP emergency boot have been 
descrbed as associated with ftasfvtype memory, they 
may be associated with a variety of ottier types of mem- 
ory A foad module may also be obtained through a 
diagnostic port associated with the HID or other device. 
Regardless of the source, however, the integrity or valid- 
ity of the firmware is always cor^irmed throtgh the use 
of a digital signature auttiorizaiion. 
10063] In aoconJance with the obove^eecrftsed 
method, the server or other central device ie arranged to 
update or synchronize the firmware of the remote 
device, or HID. In this arrangement the HID or other 
remote device is prevented from updating or changing 
the firmware which is on the cer^l device or server. 
[0064] In accordance with the above-descrftied 
method, rf the firmware associated with a centraJ device, 
such as a server, is updated, then all of the remote 
devices such as HIDs are automatically i^xlated as 
well. In one or more embodiments of the invention. 
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instead of the uptMa or synchnonizatiOfi process only 
occurring after the HID or other de\nca is powered or 
booted \^ the synchronization may be arranged to 
occur at a wide variety of times. For exarnple. a server 
may be arranged to send a signal to each HID to trigger s 
the update process at predetermined inter\/als. 
[0065] In accordance with one aspect of the above- 
described method, the iifnwwe associated with the two 
devices is synchronized reganlless of which device has 
the oider or rKwer version. This is because synchroni- to 
zation occurs whena/er the firmware associated with 
the two devices ts not identical, not just when one 
device, such as the HID. has a numerically lower or 
higher version that the central device. Thus, even if the 
server has an older veision of the firmware than the is 
HID. the finnware associated with the HID will be syn- 
chronized with that of the server by installing the okJer 
version of the firmware onto the hid. This ensures tfiat 
the server arxJ all HIDs are always operating wfth com- 
mon f rmware. 20 
[0066] While in the method ddscrit^ed Eritxyve the 
firmware which is described as being loaded to the HID 
IS the same version as that of the ik&t device, such as a 
server, such need not be the ca^o. As provided above, 
an aspect of the invention Is 10 sync^rcinize the devices 2S 
so that they utilize a protocol which permits compatible 
communication. In some instances, an HiD and a server 
may operate wHh different versions of firmware wrfiich 
sUII achieve this goal. Thus, as other aspects of the 
invention, the frmware which is uploaded to an HID 30 
need to be the Same as that of the sender, as iortg as the 
uploaded firmware iJtimately provides the desired syn- 
chronization in protocol. In this reganJ, in the "compar- 
irig' step (S3 in Rgure 3) it is only necessary to 
determine if the firmware is matching or the same such as 
as to determine whether the firmware is already syn- 
chronized. 

[0067] By way o^ exarr^jie. if versions 6-Oa and 6.0b 
of particutar firmware are oonpatible, the HID may be 
arranged to compare a string X.X (eliminaiing the a arKi 40 
b) provided by the server to its version to determine if 
the firmware is synchronized. If the HID is operating 
with non-con^tible version 5.0a. then the strings 5.0 
and 6.0 will not match, indicated that the rrmiware is not 
synchronized and requiring the HID to instan new 45 
firmware. The newly installed or uploaded firmware may 
be version 6.0a or 6.0b. regardless of wtiat version the 
server is using, ^nce either version pn^/idee synchroni- 
zation. 

[0068] While methods of the invention have been so 
descra>ed in association with the system iirustratad In 
Figure 1. as described above, embodiments of the 
invention may be associated w'rth a wide-variety of oHw 
systems or devices, such as general purpose computer 
900 llustrated in Figure 9 and described in nxre detail &5 
k>elow. Thus, an emtxxJiment of ttie invention can be 
implemented as computer software tn the form of com- 
puter readable code executed on computer 900 or other 
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device, or in the form of byteoode dass files executable 
within a Java*" mnt'me envlronmert running on such a 
computer or other device, or in the fbmr^ of bytecodes 
running on a processor (or devices enat3(ed to process 
bytecodes) eidstrng in a dfetributed environment (e.g., 
one or more prooessore on a network). 
[0069] Refening to Figure 9. the general purpose 
computer 900 includes a keytmrd 910 and mouse 91 1 
coupled to a system bus 916. The keytxiard and mouse 
are for introducing user fnput to the computer system 
and commun'rcating that user input to processor 913. 
Other suitable irrput devices may be used in addition to. 
or In place of. the mouse 011 and keyboard 910. WO 
(input/output) unit 919 coupled to system bus 91 8 repre- 
sents such UO elements as a printer, AA/ (audio/Video} 
I/O, eto. 

(OOTtg Conputer 900 includes a vkJao memory 

914, main memory 915 and mass storage 9l2, a^l cou- 
pled to system bus 91 8 along with keyboard 910. mouse 
911 and proceeeor 913. The mass stoa^ge 912 may 
include both fixed and removable media, such as mag* 
netic. optical or magnetic optical storage systems or any 
other available mass storage technology Bus 916 may 
contain, ^ example, thirty-two address lines ior 
addressing video memory 914 or rnain memory 9 15. 
The system txis 91 8 also includes, for e^mple, a 64-bit 
data bus for transferring data between and among the 
components, such as processor 913. main menwry 

915, video memory 914 and mass storage 912. Alterna- 
tively, muttiplex data/address lines may be used Instead 
of separate data and address ines. 

[0071] In one embodiment of the inventkm. the 
processor 913 is a microprocessor manufectured by 
Sun Microsystems, Inc., such as the SPARC™ rrvcro- 
processor, or a microprocessor marufactured by 
Motorola, such as the 680X0 processior, or a nrdooproc- 
essor maf^ctu-ed by Intet. such as the 80X86, or Pen- 
tium processor However, any other suitatto 
micrpprocessor or mlcrooon^puter may be utifi2edL Main 
memory 915 is corrprised of dynamic random access 
memory (DRAM). Vkleo mennory 914 is a dud-ported 
vkieo random access memory. One port of the vkjeo 
nnemory 914 is coupled to vkJeo amplifier 91& The 
video amplVier 91 6 is used to drive the cathode ray tii>e 
(CRT) raster monitor or display 91 7. Vdeo anpHier 91 6 
is wall known in the art and may be implemented by any 
suitable apparatus. This circuitry oorweris pixel data 
stored in vkJeo memory 914 to a raster signal suitable 
for use by nKMiHor 91 7, Monitor 9 1 7 is a type of monitor 
suitable lor displaying graphic images. 
[0072] Con^uter 900 niay also indude a convYuii- 
cation interface 920 coi^sled to bus 918. Communica- 
tksn imerface 920 provides a two-way data 
corTvnunicatk>n coupling via a network link 921 to a kx^al 
network 922. For eiranple. if communication interface 
920 is an integrated services digital network (ISDN) 
card or a modem, commuricatnn interface 920 pro- 
vides a data communicatk>n connection to the oorre- 
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8ponding type of telephone lin^ which convHlsee part 
of ndtw0fklnk921. If communication inteilaoa 920 is e 
local area netuvork (LAN) card, comrrtinication internee 
920 provides a data communication oonnectioqri via net- 
work link 921 to a compatible LAN. Wireie^ links are s 
also possibla In any such implementalion. communica- 
tion interface 920 sends and receives electrical, electro- 
magnetic or optical eignalB which carry digital data 
streams representing various types of irrlormation. 
[0073] Netwvork link 921 typically provides data to 
communication through one or more networks to oiher 
data devices, fnor example, n^work link 921 may pio- 
vUe a connection through local network 922 to local 
server conr^er 923 or to data equipment operated t}y 
an Interrret Service Provider (ISP) 924- ISP 924 in turn is 
provkles data communication servk^ through the 
world wide pad^ data communication network now 
commonly referred to as the "Imernef* 92S. Local net- 
work 922 and Internet 925 both use electrical, electro- 
nnagnetic or optical signals whteh carry digiial data 20 
streams. The signals through the vark>us networks and 
tha signals on network link 921 and through communi- 
cation interface 920, vuhich carry the difittat data to and 
from computer 900. are exemplary forms of carrier 
waves transporting the information. 25 
[0074] Computer 900 can send messages and 
receive data, including program code, through the net- 
work(s). network link 921 , and communkcatksn interface 
920. In the Interne! example, remote saiver computer 
926 might transmit a requested code for an application 30 
program through Imernet 325, ISP 924, local network 
922 and communication interface 920. 
[0075] Ihe received code may be executed by proc- 
essor 913 as it is received, andAx stored in mass bor- 
age 912, Or other nort-volatile storage for later as 
execution. In this nr)anner, computer 900 may obtain 
application code in the form of a carrier wave, 
[0076] Applicatkxi code may be embodied in any 
form of corrputer program product. A computer program 
product comprises a medium configured to store or 40 
transport computer readable code, or In which oonputer 
readable cede may be enrA>edded. Some examples of 
computer program products are CD-ROM dfekss ROM 
cands. ftopp/ disks, magnetic tapes, computer hard 
drives, servers on a network, and canier waves^ 4s 
[0077] The computer systems described above ere 
lor purposes of ejcen^e only An ernbodvnent of the 
iiwention may be implemented in an/ type of oonputer 
system cr programming or processtng environment. 
[0078] As wifl be appreciated by those of skill in the so 
art there is a wide variety of configurations for hardware 
and software for accomplishing the method of the inven* 
tion other than that descrfeed atxve. 
[0079] Of course, the foregoing description is that of 
preferred embodiments of the invention, and various ss 
changes and modifications may be made without 
departing from the ^irit arvl scope of the invention, as 
defined by the claims. 
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[OOBO] The features "disdosed in the foregoing 
descr^jtion, in the claims and/or In the accompanying 
drawings may. both separately and in any combination 
thereof, be material for realising the invention in diverse 
forms thereof. 

Ctaims 

1. A method of synchronizing firmware associated 
with a first corTV3uter device and a second computer 
device oomprising the steps of: 

providing Infdrmatron regarding a characteristic 
of the firmware associated with said first 
device; 

providing information regarding a characteristic 
of the firmware associated with said aecorxi 
device, said characteristic of said firmware 
assodated with said second device being com- 
mon to said characteristic of said firmware 
a&SQdated with said first device: 
comparing said firmware information associ- 
ated with said fjr«t device to information regard- 
ing sakS firmware associated with said second 
device to determine if said characteristic is 
matching: and * 

associating seoond firmwvare with said second 
device if said characteristics assodated with 
said firmware of said first and second devices 
are not matciiir>g. whereby said firmware asso- 
ciated with said frrst and seoond devices are 
synchronized- 

2. Ihe nnethod In accoidance with Claim 1 wherein 
said characteristic comprises a version of said 
firmware- 

3. The method in accordance with Claim 1 wherein 
Seud step of modifying corrprises uploading said 
second firmware to said secorKl device and install- 
ing said second f rmw^re to sakj second device. 

4. The method in accordance with Claim 3 including 
the step of verifying the integrity of said second 
llrmware t>efore it is installed. 

5. The method in accordance with Claim 4 wherein 
said firnfiware corrprises a load modurie having a 
private-key-t»ased digital signature aesodated 
therewith and said step of verifying comprises the 
step ol verifying said private key with a puUic key. 

6- The method in accordance with Claim 4 who^w 
said step of verifying comprises the verifying a dig- 
ital stgnatura 

7. The method in accordance with Claim 1 wherein 
saki first device corrprises a server and said sec- 
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ond device comprises a cfiem device. 

8. The method in aocoidance with Claim i including 
the step of said f frst device transmittinQ information 

to said second de^e location Infomrntion for $ 
obtaining said second firmware. 

9. The method in accordance with Claim 8 rnctuding 
the step of loading said second firmware into a first 
memory associated wrih sad second device and w 
installing said second lirmware into a second mem* 
ory associated with said second device. 

10. The method in accordance with Claim a Including 
the steps of confirmtng K said second frmw«re is 15 
properly Installed into said second memory, and if 
not, said firmware associated with saKi second 
device obtahtvig information regarding location 
information for obtaining said secorKi firmware and 

re- associating said second firmware from said 20 
location with said second device. 

11. The method in accordance with Oaim 8 including 
the step of confinning the mtagrity ctI said second 
firmware before installing said firmware into said 
second memory. 

12. The method in accordance with Oaim 1 including 
the step of prevenling unwanted code from being 
introduced to said second device by verifying the jo 
integrity of said firmware before it is installed. 

1 3. The method in accordance with Qaim 1 wherein 
first firmware and third firmware is associated with 
said second device, said thini firmware permitting 
said second device to remain operationaf in at least 
one mode in the event of a failure in associating 
said second firmware with said second device, and 
wherein said step of associating said secorxf 
firmware comprises replacing only said first 4q 
firmware and not said third firmware with said sec- 
ond lirmware. 

14. The method in accordance with Claim 13 Yvherein in 
said at least one mode sakJ second device is «5 
anwged to associate said second firmware, and in 
the cfvem of a failure n said step of associating said 
second firmware, said method indudes the step of 
said third firmware causing said second device to 
r^^sociate said secorKj firmware wHh said second so 
device 

15- A computer program prodtxn comprising: 

a conputer usable medium having computer 55 
readable program code embodied tfierein for 
synchronizing firmware associated with a first 
device and a second device comprising: 
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computer readable program code configured to 
cause B ccvrputer to provide triformat'on 
regarding a characteristic of the firmware asso- 
ciated with said firet device: 
conrfiuter readable program code configured to 
cause a conrputer to provide information 
regarding a characteristic of the f irrrrware asso- 
ciated with said second device; 
computer readable program code configured to 
cause a conputer to corrpare said provided 
firmware information regafding a characteristic 
of said first and second devices to determine if 
aaid characteristics match; and 
conputer readable program code configured to 
associate second firmware with sard secorx^ 
device if said characteristics associated with 
said firmware of said first and second devices 
match, whereby said firnrtware associated with 
said frst and second devices is synchronized. 

1Q. The computer program product in aocondanoe with 
Claim 15 indudfng computer readat^le program 
code configured to verify said secorid firmware 
before said second firmware is associated with said 
second device. 

17- The computer program product in aocofdarwe with 
Claim 16 wherein said computer readable program 
code is configured to verify a private-key-based dig- 
ital signature associated with said second firrnware 
With a public key. 

18^ The conrvMJter program product in aoootdance with 
Claim 15 Including computer readable program 
code configured to load said second flrmwara into a 
Hrst memory associated with said secorxJ devfce 
and then install said second firmware into a second 
memory associated with said second device. 

19. The computer program product In acoondance with 
Claim 15 including computer readable program 
oode configured to compare a first string represent- 
ing a version of firmware associated with said first 
device to a second string representing a version of 
firmware associated wKh said secorxJ device to 
determine if said characteristics are the same. 

20. The computer program product in accordance with 
Claim 15 wherein said second device includes tNfd 
finnriware and said computer readable program 
code configured to associate said second firmware 
with said second device is configured to replace 
only said first and not third firrnware associated with 
said second device with said second firmware 

21. The computer program product in accordance with 
Claim 20 wherein said third firmware comprises 
computer readable program code for re-associating 
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said second firmvware in the event said replacement 
IS unsuccessful. 

22. The corrputer program product in acoordance with 
Claim 15 including computer readat)te program 5 
code arrangad to prevent the introduction of 
unwantad code to said second device by preventing 
association of said second firmware with said sec- 
ond device unless ftie integrity said firmware is 
verified. w 

23. A corrputer network comprising: 

a least one client oonrpLfter; 
at least one server; 15 
means for detemnining cf a first frmware asso- 
ciated with said at least one server is synchro- 
nized with a second firmware associated wHh 
said at least one client computer; and 
means ior associating third firmware with said 
at least one client computer in the event said 
first and second firmware is not synchronized. 
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FIG. 3 
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